Case study of a Trust Service Provider (TSP) on private Bug Bounty program

What made you decide to launch a Bug Bounty program? 

We mainly launched a bug bounty because of our short delivery cycles. We were used to doing “traditional” pentests once a year, but as we have a lot of changes every month on our scopes, we simply could not wait 12 months for the next audit. Bug Bounty enables us to carry out continuous checks, for each release, update, new delivery, etc.

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. pen testing)?

ROI: being able to pay for results only is very important for a small organisation like ours with limited budgets. With traditional pentests, we have to pay even if nothing if nothing has been found. Our last pentest cost around €8,000 and no major vulnerabilities were reported. 

After two months running our program, dozens of security flaws had been reported, including some critical vulnerabilities never reported through previous audits, for a reward budget totalling around half of the cost of a single audit. 

I would also mention diversity – pen testing is too “academic” and just don’t meet our real needs. Most pentesters run tools and tick boxes: as a result there are too many things, too many vulnerabilities, that aren’t found. The diversity of hunters and their range of skillset make a big difference.

Lastly, the model is super flexible. In terms of scope evolution for example: with a traditional pentest, scope is defined in advance – if you want to change anything, you have to pay again for another audit. Now, with Bug Bounty, I can fine-tune the program over time, I can add products or URLs to the scope – which is key to us.

Is Bug Bounty the end of pen testing? Or will it always remain complementary? 

As a trusted digital service provider, we have to run pentests to meet regulatory requirements. So, we have no choice but to continue doing traditional audits. However, if we were in an industry not subject to such regulations, there’s no question we would only use Bug Bounty. 

This year, we are going to mention bug bounty in our certification process, making the case that Bug Bounty is equivalent to intrusion testing – and actually more effective.

What’s next? 

Expanding the program to our APIs and mobile apps. 

Is there anything else you’d like to mention? 

Bug Bounty is also a key selling point for our sales team – especially with large accounts that require the most stringent security guarantees. Bug Bounty is now automatically included in our sales presentations to large accounts.